CONTROL DEVICE AND METHOD FOR ASSUMING CONTROL
A control device for a vehicle includes a communication module, which establishes a transmission and receiving connection to a server external to the vehicle, and a control module connected to this for driving functions, which receives data of at least one sensor and controls at least one actuator for at least partially autonomously controlling at least one of the driving functions in the vehicle. A disconnector physically separates at least the receiving connection and a read-only memory, in which a piece of software for overwriting the software in the communication module and the control module in case of interference, is stored. Control of the control device is assumed when the control device has presumably been tampered with in the vehicle and uses this to separate at least the receiving connection, to bring the vehicle into a safe traffic state as needed, and to overwrite software in the control module and the communication module with software from the read-only memory.
Exemplary embodiments of the invention relate to a control device having a control module for controlling at least one actuator for at least partially autonomously controlling at least one driving function of a vehicle, as well as a method for assuming control via a control device of this kind that has presumably been tampered with.
Crosslinked control devices for a vehicle that communicate via communication modules with servers external to the vehicle, so-called backend servers, are known from the prior art. The field will be made use of more and more in the future, be that for navigation systems or for driver assistance systems controlling a manually driving vehicle or a vehicle at least partially under the control of a person using the vehicle. Along with such functionalities, referred to below as partially autonomous driving functions, crosslinked control devices will also be used in the future, in particular for autonomously driving vehicles.
Both with partially autonomous driving functions, yet also in particular with autonomous driving, safety plays a crucial role. The safety of the functionality of individual sensors can be achieved, for example, by redundancies and/or monitoring individual sensors or sensor groups using other sensors or sensor groups. In this context, reference can be made to DE 10 2017 126 877 A1. With the crosslinked vehicles or their control devices, a further aspect now plays a crucial role in terms of safety. The communication between the external server and the communication module of the vehicle is relevant to safety with regard to the driving function. For this reason, the communication systems are encrypted. Thus, on one hand, tamper protection can be ensured and, on the other hand, it can be verified that the communication partners actually provided for this communicate with one another. The encryption thus serves to protect the integrity of the data while protecting the authenticity of transmitter and receiver which use such encryption methods.
Here, typical methods are, at present, asymmetrical public-key methods. The fact is, however, that static safety architecture cannot underlie such approaches because technologies for encrypting and decrypting are constantly being further developed. Safety architecture selected at one point in time would thus become outdated in the near future as a result of the advancement of technology, such that a gateway to the communication between the backend server and the vehicle is open for a hacker, for example. They could thus provide the vehicle with corresponding malware or harmful commands, such that accidents can be provoked, for example, autonomously driving vehicles can be controlled to incorrect destinations, in order to unlawfully run down the charge, or similar. This is a horror scenario both for the vehicle manufacturers and the people using the vehicles. However, to a certain extent there is no stopping this, since encryptions, which currently cannot yet be decrypted despite considerable effort, will possibly be able to be decrypted in the near future, in particular if so-called quantum computers were to come into use, which have a completely new way of doing calculations and which render known approaches to cryptography, which we consider secure today, ineffective. Now of course, the approaches to cryptography will be developed further. However, it must be feared that gaps in the method occur more and more, such that, despite all security technology, hackers procure unwanted access to the communication between the external server and vehicle in order to thus manipulate the vehicle in an unwanted and dangerous manner.
DE 10 2017 126 877 A1 discloses a control system for an autonomous vehicle having at least one controller, which receives first sensor values from a first group of sensors, in order to recognize a first state of a detected object in the vicinity of the vehicle, and second sensor values from a second group of sensors, in order to recognize a second state of the detected object. Based on a comparison of these states, an actuator of the vehicle is automatically controlled, which is set up to control vehicle steering, acceleration, braking, or gear changing.
DE 10 2017 220 845 A1 relates to a control device network having a plurality of control devices for a vehicle for shifting or migrating a function or application or a process from a first control device to a second control device of the control device network. The control device network is designed to identify, in particular as needed, the function or application or process on the first control device for shifting and to select a suitable second control device.
A controller for an engine with controllable overwriting of the controller programs or data after stopping the engine is described in DE 696 02 693 T2.
DE 11 2014 000 623 T5 describes an access limitation device, an on-board communication system, and a method for limiting communication, which are intended to prevent the divulgence of information as a result of an unauthorized access by malware programs to a network internal to the vehicle.
Against this backdrop, exemplary embodiments of the present invention are directed to an improved control device and a method for assuming control via a control device that has presumably been tampered in order to also remain capable of acting in the event of a compromised control system.
The control device according to the invention for a vehicle comprises a communication module having a transmission connection and a receiving connection to a server external to the vehicle and a control module connected to it for driving functions, which receives data of at least one sensor and controls at least one actuator for at least partially autonomously controlling a driving function in the vehicle. This is common in partially or completely autonomously driving vehicles or manually driving vehicles with assistance systems, which are crosslinked. The control device according to the invention now provides a disconnector for physically separating at least the receiving connection and a read-only memory, in which a piece of software for overwriting the software in the communication module and the control module, and optionally further modules of the control device for the vehicle, is contained and saved.
In the case of a recognized or presumed compromised communication, it must be assumed that malware has already found a way into the control device for the vehicle via the communication channel. Now, a person driving or monitoring the vehicle can physically separate at least the receiving connection in order to ensure that no further information, and/or control commands possibly provided with malware reach the control device for the vehicle and/or are performed by it. Using the read-only memory in which a piece of corresponding software is stored in a manner that cannot be changed and is resistant to tampering, the software can be written over a piece of malware in all modules of the control device. Possible malware is thus replaced with an original version of the control software from the read-only memory. Here, this must of course be designed to be resistant to tampering, such that the software contained in it cannot be tampered with. The process must be controlled in such a way that all software in the control module is completely deleted, such that a piece of potential malware is also overwritten. The software is then installed from the read-only memory, and the control device has its original functionality again. Depending on the software version in the read-only memory, some functions, some adjustments undertaken by the user etc. may be lost, yet there is a base functionality of the control device in any case. An updated version in the read-only memory can be implemented on the part of the vehicle, for example in service intervals, by the memory being replaced.
According to a very simple and efficient embodiment of the control device according to the invention, it is provided that the disconnector can be triggered manually. The disconnector can thus be triggered directly mechanically in its simplest variant. It can be a simple switch or button which, in the manner of an emergency switch, interrupts autonomous or partially autonomous driving functionalities, for example, and can be manually actuated easily, efficiently, and quickly by a person in the event of suspected tampering with the control device.
Alternatively, it is of course also possible to activate the disconnector via a remote triggering, for which this can be triggered according to an advantageous development of the invention via at least one further communication connection while bypassing the communication module. Such a further communication connection must be set up to be strictly separate from the communication with the backend server, in order to not be affected by this in the event of malware infiltrating. It can then be used to trigger the disconnector via a remote triggering and to activate the scenario described above. This can be used, in particular, for example with driverless systems, such as driverless buses or driverless heavy goods vehicles, for example when a monitoring system for the driverless vehicles establishes that they are moving on a route on which they actually should not be on, such that it is presumed that the control device is being tampered with.
As already mentioned, it is sufficient, in principle, when the disconnector separates the receiving connection. Comparatively less damage can be caused via the transmission connection. Nevertheless, it can be meaningful to also correspondingly separate the transmission connection, such that, according to an advantageous development of the idea, it is provided that the disconnector is designed in such a way that it additionally separates the transmission connection. Here, this separation can preferably be carried out as a physical separation.
A further very advantageous design of the invention provides that the disconnector additionally separates the connection to coupled user-specific software modules. Such user-specific software modules, which are also referred to as third party modules, can be coupled to the vehicle, in particular connected to the vehicle via a plug connection. Since it cannot be excluded that the assault on the vehicle is carried out via these software modules, or that, during the attack, malware has been stored on one of these software modules, it is accordingly to be ensured that these are also physically separated from the system. This can be carried out either via the disconnector or a further disconnector or, if the vehicle is used by a person or if a person is on board the vehicle, they can also unplug the corresponding modules before the control software is copied into the control module again from the overwritten memory.
In order to be able to overwrite the software in all modules of the control device, it is necessary to temporarily deactivate all driving functions. This typically presupposes a safe traffic state of the vehicle, for example a parked state. In order to be able to achieve this without the danger of potential tampering, which prevents such a state, according to a very advantageous and favorable design of the control device according to the invention, it can be provided that the disconnector is further set up to deactivate the control module and to activate a read-only emergency control module. According to a very advantageous development of the idea, this read-only emergency control module then has access to the few sensors and actuators necessary for its functionality, in order to bring the vehicle into a safe traffic state, in particular a parked state, via the emergency control module in the event of its activation. Thus, the vehicle can be stopped, for example, and driven onto the hard shoulder, while a hazard warning light or similar is activated. As soon as the vehicle has then achieved a safe traffic state, in particular a parked traffic state, loading the potentially infected software of all modules of the control device is carried out by the software saved in the read-only memory.
The method according to the invention addresses this sequence according to the method, which has indeed already been described above, in detail once again. Independent of the constructive structure of the control device, at least the receiving connection is physically separated, after which it is checked as to whether the vehicle is in a safe traffic state, in particular in a safe parked state. If this is the case, the software in all modules of the control device can be overwritten by the software saved in the read-only memory. If this is not the case, a read-only emergency control module must first be activated, which brings the vehicle into a safe traffic state, in particular parked state, before the software is correspondingly overwritten in the other modules of the control device and thus is replaced with a piece of software not infected with malware.
Here, it is also conceivable, in principle, to leave the transmission channel open, yet this can optionally also be interrupted, as described above.
Further advantageous designs of the control device according to the invention and the method according to the invention moreover emerge from the exemplary embodiments, which are depicted in more detail below while referring to the figures.
Here are shown:
In the depiction of
In addition, purely by way of example, a GPS module, labelled with 9, is indicated as a further sensor and is connected to the control module 3. Moreover, the control module 3 is connected to actuators 10, which are formed to influence the vehicle 1, for example for accelerating, braking, steering, or similar. They can also be correspondingly used for autonomous and for partially autonomous driving, i.e., supporting a person driving the vehicle 1 using driver assistance systems.
Moreover, the control device in the vehicle 1 now has a read-only memory 11, in which the software for the communication module 2 and the control module 3, and optionally further modules present in the control device, is saved. Here, this software is protected from any access and possible tampering in the read-only memory 11. In regular operation, it is not in connection with the modules 2, 3, but rather these have installed their own, ideally the same, software or possibly also an already newer version of the software.
An emergency control module 12, the functionality of which will be discussed in more detail later, is also designed to be tamper-proof and read-only, such that no change of the functionalities of the emergency control module 12 is possible via the software of the modules 2, 3. It is correspondingly connected to at least some of the actuators 10 and some of the sensors 8, yet typically does not require a connection to all sensors 8, 9 for its functionality, which will be described in more detail later, even if this is conceivable in principle.
The functionality of the vehicle 1 and the communication with the backend server 5 here is regular, such that the read-only memory 11 and the emergency control module 12 are currently not necessary. Therefore, they are depicted in a dotted manner since they are not integrated into the procedures of the control device. Both the backend server 5 and the modules 2, 3 are respectively provided with a check mark to symbolize the regular and uncompromised state of the control device 1.
In the depiction of
There is thus the risk of an accident or theft of the vehicle 1, for example, possibly caused by malware, hijacking or similar.
When a person in the vehicle 1 no longer trusts it during an autonomous driving mode of the vehicle 1 because they recognize a hijacking or a driving maneuver that is completely inappropriate for the situation, for example, and are potentially also not in the position to seize control of the vehicle, for example by means of a manual steering intervention, they can assume the control device is being tampered with. Along with such an assumption based on the experience and the observations of a person in the vehicle 1, a request, for example by the vehicle manufacturer to the respective person, is carried out, in particular when the server 5 or the communication between the server 5 and the vehicles 1 of the vehicle manufacturer is compromised and this has been established by the vehicle manufacturer, for example. Then, a request for reaction can also be made to a person using the vehicle 1 or located in the vehicle 1. This can be carried out, for example, via a radio announcement, via a mobile telephone or via other information channels. The person in the vehicle 1 or, if it is driving completely autonomously, such as a local transport bus or a heavy goods vehicle, for example, also an external person involved in the control of the vehicle 1, can now actuate a disconnector 13. In the figures, this disconnector 13 is arranged between the communication module 2 and the server 5 for physically separating the receiving connection 7. It can be triggered mechanically, for example via the indicated button or switch 14, by a person in the vehicle 1. A remote triggering, as is indicated in
In order to be able to correspondingly react, it is now important that the vehicle 1 is in a safe traffic state, in particular in a parked traffic state. If this is the case, reaction can take place directly after opening the disconnector 13. If this is not the case and if, from this, the scenario described here is to be assumed, then the already specified emergency control module 12 is activated by the disconnector 13 via the control line marked with 16 in
If the vehicle 1 has reached its safe traffic state, for example a safe parked position, the emergency control module 12 is deactivated again, as is indicated in the depiction of
After reinstalling the software, the state symbolized in
The software in the read-only memory 11 and in the emergency control module 12, which is saved in a read-only manner comparable that in the read-only memory 11 and tamper-resistant in the control device, can also not be changed by a person using the vehicle 1, but rather only by the corresponding memory chip being exchanged with a memory chip with a newer version of the software, for example in a service interval in a workshop. An update can thus only be manually carried out in the workshop and an update, for example, of the other modules 2, 3 cannot be initiated by the backend server 5 in order to not create a gap in the security system.
As already mentioned several times, along with the separation of the receiving connection 7, the transmission connection 6 can also be separated. In the depiction of
Furthermore, it is such that, in the depiction of
Although the invention has been illustrated and described in detail by way of preferred embodiments, the invention is not limited by the examples disclosed, and other variations can be derived from these by the person skilled in the art without leaving the scope of the invention. It is therefore clear that there is a plurality of possible variations. It is also clear that embodiments stated by way of example are only really examples that are not to be seen as limiting the scope, application possibilities or configuration of the invention in any way. In fact, the preceding description and the description of the figures enable the person skilled in the art to implement the exemplary embodiments in concrete manner, wherein, with the knowledge of the disclosed inventive concept, the person skilled in the art is able to undertake various changes, for example, with regard to the functioning or arrangement of individual elements stated in an exemplary embodiment without leaving the scope of the invention, which is defined by the claims and their legal equivalents, such as further explanations in the description.
Claims
1-12. (canceled)
13. A control device for a vehicle, the control device comprising:
- a communication module configured to establish a transmission and receiving connection to a server external to the vehicle;
- a control module, connected to the communication module, configured to control driving functions, wherein the control module is configured to receive data of at least one sensor and configured to control at least one actuator for at least partially autonomously controlling at least one of the driving functions in the vehicle;
- a disconnector configured to physically separate at least the receiving connection; and
- a read-only memory, which stores a piece of software for overwriting software in the communication module and software in the control module in case of interference.
14. The control device of claim 13, wherein the disconnector is configured to be mechanically triggered.
15. The control device of claim 13, wherein the disconnector is configured to be remotely triggered via at least one communication connection while bypassing the communication module.
16. The control device of claim 13, wherein the disconnector also separates the transmission connection.
17. The control device of claim 13, wherein the disconnector is configured to separate a connection to user-specific software modules coupled to the control module or to the communication module.
18. The control device of claim 13, wherein the disconnector is configured to deactivate the control module and to activate a read-only emergency control module.
19. The control device of claim 18, wherein the read-only emergency control module is connected to the at least one sensor and the at least one actuator, which are necessary for bringing the vehicle into a safe traffic state.
20. A method for assuming control of a vehicle via a control device that is presumed to have been tampered with, the control device having a communication module, which establishes a transmission and receiving connection to a server external to the vehicle, and a control module connected to the communication module to control driving functions, wherein the control module which receives data of at least one sensor and controls at least one actuator for at least partially autonomously controlling at least one of the driving functions in the vehicle, the method comprising:
- determining that the control device is presumed to have been tampered with; and
- physically separating at least the receiving connection responsive to the determination that the control device is presumed to have been tampered with;
- checking, after physically separating at least the receiving connection, whether the vehicle is in a safe traffic state;
- responsive to the vehicle not being in a safe traffic state, deactivating the control module and activating a read-only emergency control module to bring the vehicle into the safe traffic state; and
- overwriting, responsive to the vehicle being in a safe traffic state, software in the control module and in the communication module by saved software form a read-only memory.
21. The method of claim 20, wherein the physical separation of at least the receiving connection is carried out as a physical separation via a disconnector, wherein the disconnector is mechanically triggered responsive to in suspicion or a piece of information about the control device that has been tampered with.
22. The method of claim 20, wherein the physical the separation of at least the receiving connection is performed via a disconnector, wherein, responsive to suspicion or a piece of information about the control device that has been tampered with, the disconnector is triggered via at least one safe communication connection in parallel to separating at least tine receiving connection of the communication module.
23. The method of claim 20, wherein, responsive to the determination that the control device is presumed to be tampered with, connections to coupled user-specific software modules of the vehicle are physically separated.
24. The method of claim 20, wherein, responsive to the determination that the control device is presumed to be tampered with, the transmission connection is physically separated.
Type: Application
Filed: Feb 17, 2020
Publication Date: May 5, 2022
Inventor: Fridtjof STEIN (Ostfildern)
Application Number: 17/431,780